Please help with open_basedir!

[null]

Hi, I have like 20 clients on my server and each of them has his own VirstualHost entry in httpd.conf.

I want to set php open_basedir directive for every client, so that they will be able to include files only from their home directories.

I dont want to write

php_admin_value open_basedir &/home/client/&

in every VirtualHost entry

Is there any solution to do it for all clients with one line?

Thanks

[null]

anybody? please help!

[Radio_Head]

I don't think it's possible .

In every case open_basedir you are not safe ; your clients will still be able to see /etc/passwd and other files .

At this time only safe solution is php safe mode (however it's too much restrictive ) .

Bye

p.s. Anyone knows if something changed with php 4.3.0 , regarding the security iussues related to php safe mode and the usage of open_basedir ?

[null]

In pair with with open_basedir I also use disable_function to disabale functions: system(), readfile()

What if I have 100 clients on one machine? That means that I have to add to every VirtaulHost something like:

&Virtual host xxx.xxx.xxx.xxx&

php_admin_value open_basedir &/home/[user]/&
php_admin_value disable_functions &system, readfile&

....
....

&/Virtual host&


???

This will take a lot of time!

[Radio_Head]

someone on my server was able to install
and run phpmyshell http://www.digitart.com.mx/php/myshell/security.html

I was using openbase dir on that user . As can you see openbasedir is not useful to be safe .

[dgbaker]

Very interesting scipt. And I can see the problem of not being able to keep user in right directory, as the script runs as the webserver ID &nobody in most cases& and not the user. And since the webserver has read access to almost everywhere that's why it gets through.

This is the same issue with several scripts out there that mimic shell access, they run as webserver ID and not the user themselves.